Rails Devise, how to unencrypt a password?

Question

in rails 3 devise, a user record has an encrypted_password and a password_salt.

How in the console, can I obtain a user's password? How to unencrypt?

Answer 1

Devise uses BCrypt. You need modify the encrypted_password field in the USERS table and put a new encrypted password.

You can generate a new encrypted password in this website: http://www.bcrypt-generator.com/

Answer 2

class User < ActiveRecord::Base

  devise :database_authenticatable...

  def verify_password?(password)
    encryptor_class = Devise::Encryptors.const_get(Devise.encryptor.to_s.classify)
    encryptor_digest = encryptor_class.digest(password, Devise.stretches, self.password_salt, Devise.pepper)
    encryptor_digest == self.encrypted_password
  end
end

Answer 3

Devise by default uses the BCrypt algorithm, which AFAIK is not decrypt-able. If you need to be able to decrypt passwords, you need to use a different algorithm such as the AES.

There is a gem which extends AES support for Devise.

Note: I have answered this question in a purely academic interest. It would be recommended you continue to use BCrypt. I encourage you to exercise severe caution, since managing passwords is risky business.

Answer 4

I think those passwords are one way encrypted: you can take a password provided by user, encrypt it and compare it to the encrypted one in the database (if matches - successful attempt). But un-encrypting the one in database is not possible, so that noone can get all passwords out. It is a security feature.